Merge remote-tracking branch 'upstream/main' into od_ext_impl

Signed-off-by: Christoph Pakulski <paker8848@gmail.com>

CODEOWNERS

@@ -62,7 +62,7 @@ extensions/filters/common/original_src @klarose @mattklein123
 # tracers.datadog extension
 /*/extensions/tracers/datadog @dmehala @mattklein123
 # tracers.xray extension
-/*/extensions/tracers/xray @suniltheta @mattklein123
+/*/extensions/tracers/xray @suniltheta @mattklein123 @nbaws
 # tracers.skywalking extension
 /*/extensions/tracers/skywalking @wbpcode @Shikugawa
 # tracers.opentelemetry extension
@@ -343,6 +343,8 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/geoip_providers/maxmind @nezdolik @ravenblackx
 # Match delegate extension
 /*/extensions/filters/http/match_delegate @wbpcode @jstraceski @tyxia
+# Generic proxy and related extensions
+/*/extensions/filters/network/generic_proxy/ @wbpcode @soulxu
 
 /*/extensions/health_checkers/common @zuercher @botengyao
 

api/BUILD

@@ -81,13 +81,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
         "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/client_ssl_auth/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
         "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_broker/v3:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha:pkg",
@@ -230,6 +224,12 @@ proto_library(
         "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg",
         "//envoy/extensions/filters/network/echo/v3:pkg",
         "//envoy/extensions/filters/network/ext_authz/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//envoy/extensions/filters/network/http_connection_manager/v3:pkg",
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",

api/bazel/repository_locations.bzl

@@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.34.0",
-        sha256 = "82dcf1a5f45498b539a04d764e3cb274a13c8d94271c92508fc1624d227895ff",
+        version = "1.35.0",
+        sha256 = "a75c622b5d6fae792a0e64a04baa296681eacba7ce0c3c35d25c8b42da2f71e1",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-06-21",
+        release_date = "2024-07-22",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

api/envoy/config/core/v3/socket_option.proto

@@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // :ref:`admin's <envoy_v3_api_field_config.bootstrap.v3.Admin.socket_options>` socket_options etc.
 //
 // It should be noted that the name or level may have different values on different platforms.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message SocketOption {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption";
 
@@ -51,6 +51,29 @@ message SocketOption {
     STATE_LISTENING = 2;
   }
 
+  // The `socket type <https://linux.die.net/man/2/socket>`_ to apply the socket option to.
+  // Only one field should be set. If multiple fields are set, the precedence order will determine
+  // the selected one. If none of the fields is set, the socket option will be applied to all socket types.
+  //
+  // For example:
+  // If :ref:`stream <envoy_v3_api_field_config.core.v3.SocketOption.SocketType.stream>` is set,
+  // it takes precedence over :ref:`datagram <envoy_v3_api_field_config.core.v3.SocketOption.SocketType.datagram>`.
+  message SocketType {
+    // The stream socket type.
+    message Stream {
+    }
+
+    // The datagram socket type.
+    message Datagram {
+    }
+
+    // Apply the socket option to the stream socket type.
+    Stream stream = 1;
+
+    // Apply the socket option to the datagram socket type.
+    Datagram datagram = 2;
+  }
+
   // An optional name to give this socket option for debugging, etc.
   // Uniqueness is not required and no special meaning is assumed.
   string description = 1;
@@ -74,6 +97,10 @@ message SocketOption {
   // The state in which the option will be applied. When used in BindConfig
   // STATE_PREBIND is currently the only valid value.
   SocketState state = 6 [(validate.rules).enum = {defined_only: true}];
+
+  // Apply the socket option to the specified `socket type <https://linux.die.net/man/2/socket>`_.
+  // If not specified, the socket option will be applied to all socket types.
+  SocketType type = 7;
 }
 
 message SocketOptionsOverride {

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -40,11 +40,12 @@ message ExtAuthz {
   //
   //  1. When set to true, the filter will *accept* client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
-  //  error.
+  //  error. In case with GRPC authorization service, only PermissionDenied (7) and Unauthenticated (16)
+  //  status codes will *reject* client requests. And other GRPC statuses will *accept* client requests.
   //
   //  2. When set to false, ext-authz will *reject* client requests and return a *Forbidden*
   //  response if the communication with the authorization service has failed, or if the
-  //  authorization service has returned a HTTP 5xx error.
+  //  authorization service has returned a HTTP 5xx error or any non-Ok GRPC status.
   //
   // Note that errors can be *always* tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.

api/envoy/config/trace/v3/xray.proto

@@ -21,6 +21,65 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: AWS X-Ray Tracer Configuration]
 // Configuration for AWS X-Ray tracer
+//
+// The X-Ray tracer will automatically attach :ref:`custom_tags <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags>` as annotations to the span. (See: `Annotations <https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-annotations>`_.)
+//
+// AWS X-Ray trace annotations are also created by the tracing subsystem automatically based on metadata provided during creation of a span.
+//
+// An example X-Ray trace span that is generated by the envoy trace subsystem is as follows:
+//
+// .. code-block:: json
+//
+//   {
+//     "Id": "1-6698980d-e829ae270ab34b69b488b098",
+//     "Duration": 0.016,
+//     "LimitExceeded": false,
+//     "Segments":
+//     [
+//       {
+//         "Id": "15d65e5ced8dfe76",
+//         "Document":
+//         {
+//           "id": "15d65e5ced8dfe76",
+//           "name": "envoy-example",
+//           "start_time": 1721276429.410355,
+//           "trace_id": "1-6698980d-e829ae270ab34b69b488b098",
+//           "end_time": 1721276429.426068,
+//           "fault": true,
+//           "http":
+//           {
+//             "request":
+//             {
+//               "url": "http://example/path",
+//               "method": "GET",
+//               "user_agent": "curl/8.5.0",
+//               "client_ip": "127.0.0.1",
+//               "x_forwarded_for": false
+//             },
+//             "response":
+//             {
+//               "status": 503,
+//               "content_length": 216
+//             }
+//           },
+//           "aws": {},
+//           "annotations":
+//           {
+//             "response_flags": "UF",
+//             "component": "proxy",
+//             "upstream_cluster": "upstream_cluster",
+//             "annotation_from_custom_tag": "example",
+//             "http.protocol": "HTTP/1.1",
+//             "request_size": "0",
+//             "downstream_cluster": "-",
+//             "direction": "ingress",
+//             "upstream_cluster.name": "upstream_cluster"
+//           }
+//         }
+//       }
+//     ]
+//   }
+//
 
 // [#extension: envoy.tracers.xray]
 message XRayConfig {

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -11,6 +11,7 @@ import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http_status.proto";
 
+import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "envoy/annotations/deprecation.proto";
@@ -29,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 28]
+// [#next-free-field: 29]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -56,11 +57,12 @@ message ExtAuthz {
   //
   //  1. When set to true, the filter will ``accept`` client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
-  //  error.
+  //  error. In case with GRPC authorization service, only PermissionDenied (7) and Unauthenticated (16)
+  //  status codes will ``reject`` client requests. And other GRPC statuses will ``accept`` client requests.
   //
   //  2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden``
   //  response if the communication with the authorization service has failed, or if the
-  //  authorization service has returned a HTTP 5xx error.
+  //  authorization service has returned a HTTP 5xx error or any non-Ok GRPC status.
   //
   // Note that errors can be ``always`` tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.
@@ -290,6 +292,11 @@ message ExtAuthz {
   //
   // If unset, defaults to true.
   google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
+
+  // Additional metadata to be added to the filter state for logging purposes. The metadata will be
+  // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
+  // name.
+  google.protobuf.Struct filter_metadata = 28;
 }
 
 // Configuration for buffering the request data.

api/contrib/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto → api/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto

@@ -16,7 +16,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.action.v3";
 option java_outer_classname = "ActionProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/action/v3;actionv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3;actionv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto → api/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto

@@ -9,7 +9,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3";
 option java_outer_classname = "DubboProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3;dubbov3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3;dubbov3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto → api/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto

@@ -11,7 +11,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.http1.v3";
 option java_outer_classname = "Http1Proto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3;http1v3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3;http1v3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto → api/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto

@@ -12,7 +12,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.matcher.v3";
 option java_outer_classname = "MatcherProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3;matcherv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3;matcherv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto → api/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto

@@ -9,7 +9,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.router.v3";
 option java_outer_classname = "RouterProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/router/v3;routerv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3;routerv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto → api/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto

@@ -2,10 +2,10 @@ syntax = "proto3";
 
 package envoy.extensions.filters.network.generic_proxy.v3;
 
-import "contrib/envoy/extensions/filters/network/generic_proxy/v3/route.proto";
 import "envoy/config/accesslog/v3/accesslog.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/extension.proto";
+import "envoy/extensions/filters/network/generic_proxy/v3/route.proto";
 import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto";
 
 import "xds/annotations/v3/status.proto";
@@ -16,7 +16,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3";
 option java_outer_classname = "GenericProxyProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/v3/route.proto → api/envoy/extensions/filters/network/generic_proxy/v3/route.proto

@@ -11,7 +11,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3";
 option java_outer_classname = "RouteProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -63,7 +63,7 @@ message UpstreamTlsContext {
   google.protobuf.BoolValue enforce_rsa_key_usage = 5;
 }
 
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message DownstreamTlsContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.DownstreamTlsContext";
@@ -140,6 +140,11 @@ message DownstreamTlsContext {
   // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config.
   // Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
   google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;
+
+  // By default, Envoy as a server uses its preferred cipher during the handshake.
+  // Setting this to true would allow the downstream client's preferred cipher to be used instead.
+  // Has no effect when using TLSv1_3.
+  bool prefer_client_ciphers = 11;
 }
 
 // TLS key log configuration.

api/envoy/service/ext_proc/v3/external_processor.proto

@@ -206,12 +206,8 @@ message ProcessingResponse {
 message HttpHeaders {
   // The HTTP request headers. All header keys will be
   // lower-cased, because HTTP header keys are case-insensitive.
-  // The ``headers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap headers = 1;
 
   // [#not-implemented-hide:]
@@ -235,12 +231,8 @@ message HttpBody {
 
 // This message contains the trailers.
 message HttpTrailers {
-  // The ``trailers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap trailers = 1;
 }
 
@@ -308,12 +300,8 @@ message CommonResponse {
   // Add new trailers to the message. This may be used when responding to either a
   // HttpHeaders or HttpBody message, but only if this message is returned
   // along with the CONTINUE_AND_REPLACE status.
-  // The ``trailers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap trailers = 4;
 
   // Clear the route cache for the current client request. This is necessary
@@ -362,12 +350,8 @@ message HeaderMutation {
   // Add or replace HTTP headers. Attempts to set the value of
   // any ``x-envoy`` header, and attempts to set the ``:method``,
   // ``:authority``, ``:scheme``, or ``host`` headers will be ignored.
-  // The ``set_headers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   repeated config.core.v3.HeaderValueOption set_headers = 1;
 
   // Remove these HTTP headers. Attempts to remove system headers --